Hi,
There is a problem about Secure boot. In the sixth step, I get a error when flash the signed images. My operation steps are as follows:
(1) Firstly, Configure the file target\quartz\mfg\OTP\tools\otp_config.xml based on "80-ya121-144_a_enable_secure_boot_on_qca402xcdb2x_1.pdf":
<otp_descriptor>
<firmware_region_write_disable>0</firmware_region_write_disable>
<model_id>0x0</model_id>
<pk_hash>de5480d49ed1cbe0813755f06324fce56e3eb391a9a40ffba8df9fd16c717744</pk_hash>
<!-- <otp_encryp_key>0102030405060708090a0b0c0d0e0f00</otp_encryp_key> -->
<otp_profile>development</otp_profile>
</otp_descriptor>
(2)Compile OTP
Execute the command "build.bat t 4020 cdb" at target\quartz\mfg\OTP\build\gcc.
(3)Flash the OTP programmer image at \target\quartz\mfg\OTP\build\gcc with the python script qflash.py, then I can get the "OTP update success" message appearing on the serial console.
It indates secure boot is enabled.
(4)Modify the script \target\quartz\demo\QCLI_demo\build\gcc\build.bat
SET SECBOOT=true
...
IF /I "%BOARD_VARIANT%" == "CDB" (
python %SectoolsQdnDir%\sectools.py iot -p 4020 -g m4 -i %OUTDIR%\%PROJECT%.elf -k %SectoolsCertsDir%\qpsa_rootca.key -c %SectoolsCertsDir%\qpsa_rootca.cer --cfg_oem_id=0xffff --cfg_model_id=0x0000 -o . -s
python %SectoolsQdnDir%\sectools.py iot -p 4020 -g m0 -i %RootDir%\bin\cortex-m0\threadx\ioe_ram_m0_threadx_ipt.mbn -k %SectoolsCertsDir%\qpsa_rootca.key -c %SectoolsCertsDir%\qpsa_rootca.cer --cfg_oem_id=0xffff --cfg_model_id=0x0000 -o . -s
python %SectoolsQdnDir%\sectools.py iot -p 4020 -g kf -i %RootDir%\bin\wlan\wlan_fw_img.bin -k %SectoolsCertsDir%\qpsa_rootca.key -c %SectoolsCertsDir%\qpsa_rootca.cer --cfg_oem_id=0xffff --cfg_model_id=0x0000 -o . -s
(5)Execute the command "build.bat t 4020 cdb",then I can get the following files:
target/quartz/demo/QCLI_demo/build/gcc/
---------------4020
---------------m4
---------------m0
---------------kf
(6)Flash signed images, But I get a error. The log is as follows:
/***************************log*****************************
D:\flamingo\QCA4020\test_secure_boot\secure_boot\target\quartz\demo\QCLI_demo\build\gcc>python D:\flamingo\QCA4020\test_secure_boot\secure_boot\target\build\tools\flash\qflash.py --comm 4 --app 4020
qflash.py Info: Generate partition table...
qflash.py Info: Generate FWD table...
[2018-10-16 15:39:30,233] INFO: Checking for files to add to the image for Firmware Descriptor Table 0 File:gen_fwd_table.py:654 Function:fen_xml_program
[2018-10-16 15:39:30,240] INFO: DoneGenerating XML file to pragram. File:gen_fwd_table.py:692 Function:gen_xml_program
qflash.py Info: Download device programmer...
qflash,py Info: Check for QLoader port in Device Manager.
qflash,py Info: Need to reset device?
qflash,py Error: QSaharaServer failed to load Device Programmer.
************************************************************/
From the log, there is an except at subprocess.check_output(cmd_string, shell=need_shell) which loads device programmer.
When I don't flash the OTP, the issue will not happen.
So the questions is:
1. Can I flash the signed image using USB as normal?
2. Is there any problem with my steps? Could you kindly help us to check my steps and pointout what error happened? Thank you so much!
Hi yanggh0703,
If we want to flash the signed image via USB, we also need to sign device programmer image.
Instead, we can try to flash the signed image via openocd like what secure boot document explained.
Can you try to flash the signed image through openocd?
Thanks
BR,
Jayden
Hi Jayden,
Thanks. We can use flash the signed image through openocd. Thses days, we try to flash signed image using USB.
According to your opinion, we try to sign device programmer image. Our steps as follows:
(1)Add a sentence to the script build.bat at target\quartz\demo\QCLI_demo\build\gcc.
python %SectoolsQdnDir%\sectools.py iot -p 4020 -g fire_hose -i D:\flamingo\QCA4020\test_secure_boot\secure_boot\target\build\tools\flash\prog_spinor_firehose_qca4020_lite_m4_threadx.mbn -k %SectoolsCertsDir%\qpsa_rootca.key -c %SectoolsCertsDir%\qpsa_rootca.cer --cfg_oem_id=0xffff --cfg_model_id=0x0000 -o . -s
(2)Add the following statement to the file 4020_iot.xml at target\sectools\qdn\config\4020.
target/quartz/demo/QCLI_demo/build/gcc/
---------------4020
---------------m4
---------------m0
---------------kf
---------------fire_hose
(4)Modify the script qflash.py at target\build\tools\flash.
#validate_file(os.path.join(SDK_flash_tools, "prog_spinor_firehose_qca4020_lite_m4_threadx.mbn"))
(5)Flash signed images, and I get the error too. The log is as follows:
/***************************log*****************************
D:\flamingo\QCA4020\test_secure_boot\secure_boot\target\quartz\demo\QCLI_demo\build\gcc>python D:\flamingo\QCA4020\test_secure_boot\secure_boot\target\build\tools\flash\qflash.py --comm 4 --app 4020
qflash.py Info: Generate partition table...
qflash.py Info: Generate FWD table...
[2018-10-16 15:39:30,233] INFO: Checking for files to add to the image for Firmware Descriptor Table 0 File:gen_fwd_table.py:654 Function:fen_xml_program
[2018-10-16 15:39:30,240] INFO: DoneGenerating XML file to pragram. File:gen_fwd_table.py:692 Function:gen_xml_program
qflash.py Info: Download device programmer...
qflash,py Info: Check for QLoader port in Device Manager.
qflash,py Info: Need to reset device?
qflash,py Error: QSaharaServer failed to load Device Programmer.
********************************************************/
From the log, fail to load device programmer, too.
Is there any problem with my steps? Could you kindly help us to check my steps and pointout what error happened? Thank you so much!
Hi yanggh0703,
Thanks for your trial.
Device programmer image is also kind of m4 image.
For signing device programmer, can you try just to use "-g m4" instead of yours?
python %SectoolsQdnDir%\sectools.py iot -p 4020 -g m4 -i D:\flamingo\QCA4020\test_secure_boot\secure_boot\target\build\tools\flash\prog_spinor_firehose_qca4020_lite_m4_threadx.mbn -k %SectoolsCertsDir%\qpsa_rootca.key -c %SectoolsCertsDir%\qpsa_rootca.cer --cfg_oem_id=0xffff --cfg_model_id=0x0000 -o . -s
Thanks
BR,
Jayden
Hi Jayden,
Thanks for your help. We can flash the signed image.